From a52d2ed0a03f6da3aaaafce12a7e1d31e3364c12 Mon Sep 17 00:00:00 2001
From: Codebeast <codebeast@stackbilt.dev>
Date: Wed, 20 May 2026 04:12:21 -0500
Subject: [PATCH 1/2] chore(ci): stamp supply chain policies via charter
 stamp-policies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- SHA-pins 4 floating action tags in ci.yml and publish.yml
  (actions/checkout@v6, actions/setup-node@v6 → verified commit SHAs)
- Adds .github/workflows/supply-chain.yml: SBOM + dep-review callers
  sourced from Stackbilt-dev/stackbilt_llc reusable workflows
- Installs .charter/patterns/floating-action-pins.json drift guard
- Enables charter drift on .github/workflows/*.yml

Governed-By: Stackbilt-dev/stackbilt_llc#11
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .charter/config.json                        |  8 ++++++++
 .charter/patterns/floating-action-pins.json | 10 ++++++++++
 .github/workflows/ci.yml                    |  4 ++--
 .github/workflows/publish.yml               |  4 ++--
 .github/workflows/supply-chain.yml          | 18 ++++++++++++++++++
 5 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 .charter/config.json
 create mode 100644 .charter/patterns/floating-action-pins.json
 create mode 100644 .github/workflows/supply-chain.yml

diff --git a/.charter/config.json b/.charter/config.json
new file mode 100644
index 0000000..458cb6e
--- /dev/null
+++ b/.charter/config.json
@@ -0,0 +1,8 @@
+{
+  "drift": {
+    "enabled": true,
+    "include": [
+      ".github/workflows/*.yml"
+    ]
+  }
+}
diff --git a/.charter/patterns/floating-action-pins.json b/.charter/patterns/floating-action-pins.json
new file mode 100644
index 0000000..e094416
--- /dev/null
+++ b/.charter/patterns/floating-action-pins.json
@@ -0,0 +1,10 @@
+{
+  "id": "floating-action-pins",
+  "name": "Floating Action Pins",
+  "category": "SECURITY",
+  "status": "ACTIVE",
+  "anti_patterns": "uses: (?!Stackbilt-dev/)(?!\\./)[^@]+@v[\\d]",
+  "blessed_solution": "Pin to full commit SHA with a # vX.Y.Z comment: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4",
+  "rationale": "Tag-based action pins are mutable — a supply chain attacker can move the tag to a malicious commit. SHA pins are immutable.",
+  "created_at": "2026-05-20T00:00:00.000Z"
+}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2c80157..8ac5c24 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,8 +13,8 @@ jobs:
       matrix:
         node-version: [18, 20, 22]
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci --ignore-scripts
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0a54a28..c97dcbe 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,8 +11,8 @@ jobs:
       contents: read
       id-token: write  # Required for npm provenance
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
new file mode 100644
index 0000000..19beaba
--- /dev/null
+++ b/.github/workflows/supply-chain.yml
@@ -0,0 +1,18 @@
+name: Supply Chain
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  sbom:
+    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-sbom.yml@006a05aa3f37966207e0a2068a947715a91536be
+    with:
+      node-version: '22'
+      package-manager: 'npm'
+
+  dep-review:
+    if: github.event_name == 'pull_request'
+    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-dep-review.yml@006a05aa3f37966207e0a2068a947715a91536be

From 05dbbc432feb21f6a8d301a4c319d0e149f74bbb Mon Sep 17 00:00:00 2001
From: Codebeast <codebeast@stackbilt.dev>
Date: Wed, 20 May 2026 05:14:31 -0500
Subject: [PATCH 2/2] fix(ci): re-stamp supply-chain refs to stackbilt_llc main
 SHA

Updates supply-chain.yml reusable workflow refs from the PR branch tip
(006a05aa) to the durable post-merge main SHA (c87defbe).

Governed-By: Stackbilt-dev/stackbilt_llc#11
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/supply-chain.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
index 19beaba..28181bb 100644
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -8,11 +8,11 @@ on:
 
 jobs:
   sbom:
-    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-sbom.yml@006a05aa3f37966207e0a2068a947715a91536be
+    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-sbom.yml@c87defbe10de10c7d53653338d330bcd48d41746
     with:
       node-version: '22'
       package-manager: 'npm'
 
   dep-review:
     if: github.event_name == 'pull_request'
-    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-dep-review.yml@006a05aa3f37966207e0a2068a947715a91536be
+    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-dep-review.yml@c87defbe10de10c7d53653338d330bcd48d41746